Safeguard Authentication Services for macOS allows you to authenticate to your macOS system, but before you can use any given account for authentication, you can prepare it for macOS authentication from a Windows Administrative Console through a process called Unix-enabling. However, if you do not have access or permissions to modify user account information in Active Directory, you can join and specify that you want the Safeguard Authentication Services client to locally generate Unix identity information.
To locally generate Unix identity information, select the Generate Unix Identity Attributes option when you join (or, if you are joining using the command line utility, specify the --autogen-posix-attrs flag). This allows you to use all the features of the Safeguard Authentication Services client, without requiring any modification to user information in Active Directory. If you plan to manage identity data in Active Directory globally, see Unix-enable a user.
You Unix-enable a user by entering the Unix attributes on the Unix Account tab in Active Directory Users and Computers (ADUC) MMC Snap-in.
To Unix-enable a user
-
Log in to a Windows Administrative workstation.
-
Start ADUC.
-
Locate the user object that you would like to Unix-enable.
-
Right-click on the user and select Properties.
-
Select the Unix Account tab.
-
Select the Unix-enabled check box.
Default values are generated for the user.
-
Adjust values as necessary and click OK.
There are some known issues connecting to Windows shares using Finder. If you log in as a domain user, Safeguard Authentication Services obtains Kerberos credentials for your login session. Finder should use these credentials to automatically authenticate when connecting to Windows shares. Instead, Finder prompts you for your password. The two possible causes for these issues are explained in the following topics:
Problem:
When connecting to SMB shares on a domain controller, settings on the default domain controller policy can force a macOS client to Digitally Sign all traffic. Since macOS clients do not support digitally signing SMB traffic, this can lead to a failure when attempting to mount an SMB share.
This issue is related to two settings in the Default Domain Controllers Policy.
Resolution:
Disable the Default Domain Controller policy settings to allow macOS machines to connect to SMB shares.
To disable policy settings
- Open Active Directory Users and Computers, select the domain, right-click, and select Properties.
-
Click the Group Policy tab.
Note: If you use Windows Server 2008, there is an additional menu item, Policies, added between Computer Configuration and Windows Settings in the following sequence.
-
If the default Domain Controllers Policy is linked to this domain, navigate to Edit > Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options, double-click and disable the following two policies:
-
If the Default Domain Policy is linked to this domain, navigate to Edit > Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options, double-click and disable the following two policies:
If these group policies are not currently defined, you can leave them unconfigured. If either policy is enabled and linked to the domain, however, the macOS computer is not be able to use SMB connections to mount the Windows file shares.
-
If you change these policies on the domain controller, run the gpupdate command to refresh the group policies before logging on to macOS computers.